Recently, the Pennsylvania Superior Court ruled in favor of data breach plaintiff Avrum Baum, giving him a second chance to certify a class action suit against Keystone Mercy Health Plan. Baum brought suit against the insurer and its affiliate, AmeriHealth Mercy Health Plan, after it misplaced an unencrypted flash drive containing the personal health records of more than 200,000 subscribers. Baum contends that Keystone Mercy violated the privacy rights of these subscribers, including his daughter, when electronically stored names, addresses, dates of birth, Social Security numbers, and clinical and health screening information were lost.

Keystone Mercy’s Chief Compliance and Privacy Officer discovered that the flash drive was missing in September of 2010. As a result of the breach, the insurer offered credit monitoring services to 808 individuals whose partial or complete Social Security numbers were maintained on the drive. They also provided notice of the missing data to the Pennsylvania Department of Public Welfare and the Federal Department of Health and Human Services Office of Civil Rights.

After lodging allegations that Keystone Mercy violated the catchall provision of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law (“UTPCPL”), Baum filed a motion with the Philadelphia Court of Common Pleas for class action certification. His complaint characterized the potential class as all subscribers whose personal health records or other confidential or private information was compromised through Keystone Mercy’s improper handling of the flash drive. The trial court conducted a hearing and, on July 25, 2013, entered an order denying the motion. Baum subsequently appealed.

The UTPCPL allows any private, individual purchaser who suffers ascertainable monetary or property loss as a result of an unlawful act to recover actual damages. This consumer protection law seeks to prevent unfair competition and deceptive conduct in trade or commerce and, according to the Supreme Court of Pennsylvania, should be construed liberally in order to “effect its legislative goal.” SeeFazio v. Guardian Life Ins. Co. of Am., 62 A.3d 396, 405 (Pa. Super. 2013).

Historically, UTPCPL plaintiffs were required to show justifiable reliance on a defendant’s wrongful conduct and subsequent harm suffered as a result of that reliance. Yocca v. Pittsburgh Steelers Sports, Inc., 854 A.2d 425, 438 (Pa. 2004). In this way, the trial court concluded, class treatment of Baum’s allegations sounding in fraud were inappropriate.

The Superior Court, however, held that plaintiffs pursuing claims under the UTPCPL’s catchall provision do not need to show reliance, citing to Grimes v. Enterprise Leasing Co. of Phila., LLC, 66 A.3d 330, 337 n.4 (Pa. Super. 2013); Bennett v. A.T. Masterpiece Homes at Broadsprings, LLC, 40 A.3d 145, 152 n.5 (Pa. Super. 2012). The court explained that the provision defines unfair methods of competition and business practices as “fraudulent or deceptive conduct” which creates confusion or misunderstanding. In this way, justifiable reliance is not necessary to recover damages where a complaint alleges deceptive conduct. Therefore, because Baum’s complaint specifically alleged both fraudulent and deceptive conduct on the part of Keystone Mercy, the trial court’s denial of the motion to certify his claim as a class action was improper.

The Superior Court three-judge panel remanded Baum’s case to the trial court for further consideration of the conditions required for class action certification. Whether the class will be certified remains to be seen, but the Superior Court’s holding may provide another avenue for data breach plaintiffs to have their day in court.

Matt has counseled clients on the evaluation of data privacy risks, responses and solutions, and he serves as a breach coach, providing analysis and advice to address data breach events, including forensics, notification pursuant to federal and state laws, credit monitoring, and public relations issues. In addition to breach response, Matt has counseled insurers on the underwriting of cyber/tech policies.

Your email address will not be published. Required fields are marked *

Comment

Name*

E-mail*

Website

Current ye@r *

Leave this field empty

About Cyber Law Monitor

In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.

Disclaimer
This Blog/Website is made available by the lawyer or law firm publisher for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. By using this blog site you understand that there is no attorney client relationship between you and the Blog/Website publisher. The Blog/Website should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.